23andMe bills itself as a company that “democratizes personal genetics” for the world. And that description’s not necessarily all that far off: For $99, customers spit into an at-home kit, mail it in, and then go online to learn about their ancestral origins and far-flung relatives.

But consumers also get their raw DNA, in the form of big, downloadable spreadsheets filled with rows of genetic code, and they can do whatever they want with it — and thanks to 23andMe’s open API, developers can do the same. Sometimes, this democratization of information yields more than what 23andMe likely bargained for.

This week, an anonymous programmer posted on GitHub an early-stage program called Genetic Access Control. It basically worked as a log-in mechanism. The third-party program was designed to hook up to the company’s API and mine the 23andMe accounts of users who agreed to share their information, as they would agree to let apps connect to their Facebook or Twitter profiles. Websites using Genetic Access Control could scan that data for information about “sex, ancestry, disease susceptibility, and arbitrary characteristics” — and then restrict users’ access to the site based on this information.